| Age | Commit message (Collapse) | Author |
|
firewall: T8991: Fix IndexError with domain resolver mishandling blank lines
|
|
bgp: T8223: Prevent `advertise-all-vni` in multiple BGP VRF instances simultaneously
|
|
T8923: normalize "can not" to "cannot" and other typo fixes
|
|
|
|
|
|
|
|
|
|
|
|
Replace two-word "can not" / "Can not" with "cannot" across comments,
ConfigError messages, CLI help text, and op-mode output.
Standard SNMP MIB files under mibs/ are left unchanged.
|
|
|
|
pki: T8165: Add ability to show certificate full chain in pem format
|
|
`sed` ranges keyed on a field name (`plaintext-password`, `encrypted-password`,
`authentication {`) are not bounded to the target user's block. When the
field is absent the range stays open past the user's closing brace and
matches the first occurrence of that field in a later account.
|
|
|
|
This is no real need to have these in config_mgmt; moving to config_sync
will localize needed modifications to local/remote configs for exclusion
mask.
|
|
dhcpv6: T8953: Add validation for duplicate static-mapping address and prefix
|
|
|
|
T8976: explicitly remove 'kernel' entry in ttyS0 device setting on choice of 'tty' during image install
|
|
vpp: T8930: Block vif driver to prevent unhandled traceback on XCP-NG
|
|
salt: T8973: remove feature
|
|
|
|
Commit 35db941bcf30 ("serial: T8375: add CLI option to explicitly set kernel
console") added a migration script to alter the CLI for the kernel boot console.
The migrations script early exist check does not work, as the statement never
evaluates to true, thus the CLI Migration for Kernel console parameter is always
called, even if undesired.
|
|
As salt has been marked deprecated via T8056 and is thus deprecated in VyOS 1.5
and VyOS 1.4 it is time to remove it from the rolling release.
|
|
simultaneously
FRR only allows one BGP instance to hold `advertise-all-vni` at a time
(FRR issue #9405). When a default BGP instance is present it is always
started before named VRF instances, so if a named VRF holds
the flag FRR silently rejects it on every boot (regardless of default
EVPN config), causing the running config to diverge from what is
stored in VyOS.
Enforce the following policy in verify():
- Default BGP instance may always hold `advertise-all-vni`.
- A named VRF may hold it only when no default BGP instance exists.
- Only one BGP instance (default or named VRF) may hold it at a time.
The default BGP verify path additionally scans dependent VRFs so that
adding or modifying the default BGP instance while a named VRF already
holds the flag is caught even when the VRF node is not part of the
current commit.
|
|
Signed-off-by: Miaosen Wang <secretandanon@gmail.com>
|
|
vrf: T8936: Specify `pref 1998` when deleting fwmark routing rules on VRF removal
|
|
When a key-name is set under dynamic-dns-update forward-domain or
reverse-domain, validate that the referenced TSIG key is defined under
dynamic-dns-update tsig-key. Previously the missing key was only caught
at runtime, causing kea-dhcp-ddns to fail to start with a fatal error.
Also fix a pre-existing bug in `verify_ddns_domain` (formerly
`verify_ddns_domain_servers`) where the function was called with the full
tagNode dict but iterated as if it received a single domain config,
causing the DNS server address check to never actually run.
|
|
removal
|
|
VPP bond teardown was triggered on every commit regardless of
what changed, dropping all subinterfaces and BGP sessions even
for trivial changes like descriptions or IP addresses.
Only mode, hash-policy and mac_address require full recreation
since VPP has no in-place update API for these; all other
changes are now applied incrementally.
|
|
Add op-mode command having ability to show certificate
full chain in pem format as part of PKI configuration.
The certificates are ordered beginning with the end
entity (leaf) certificate, followed by any intermediate
certificates and finally the private key if requested.
This allows users to easily export a certificate along
with its CA hierarchy for use in external applications,
that require the full chain to be provided in a single
file.
One can now run the following commands:
```
show pki ca NAME pem full-chain
show pki certificate NAME pem full-chain
show pki certificate NAME private pem full-chain
```
|
|
dhcp: T8933: Honor system timezone for timestamp display in op mode
|
|
password-reset: T8346: Fix password recovery when only `plaintext-password` is set
|
|
T8492: CRL generated by VyOS PKI lacks X.509 extensions required for strongSwan validation
|
|
|
|
The `vif` driver is fundamentally incompatible with VPP — no DPDK poll-mode
driver exists for Xen paravirtual interfaces and no PCI address is exposed,
so `allow-unsupported-nics` cannot rescue it either.
|
|
is set
When a user account was provisioned with only `plaintext-password` (e.g.
via cloud-init), the password recovery tool failed to persist the new
password across reboots. On the next boot, VyOS would re-apply the
`plaintext-password` from config.boot, silently overwriting the recovered
encrypted password.
|
|
DHCP restarts
_handle_dhcp_events() restarts dhclient/dhcp6c on every RTM_NEWLINK
that carries operstate=UP, regardless of whether the interface was
already UP. Normal kernel events that re-notify UP without a preceding
DOWN (e.g. post-migration gratuitous-ARP, promiscuous-mode toggles)
trigger unnecessary DHCP restarts. Each restart also creates a feedback
loop: dhclient-script runs "ip link set dev <if> up" during PREINIT,
which emits another RTM_NEWLINK(UP), which triggers another restart.
One seed event becomes 10+ restarts in 15 seconds.
Add a module-level dict tracking the last observed operstate per
interface. Only proceed with the DHCP restart when the transition is
DOWN-to-UP or when no previous state is recorded (first boot / service
restart). UP-to-UP re-notifications are suppressed with a LOG_DEBUG
message.
Validated on a production VyOS 2026.05.26-1327-rolling router: a
controlled KVM live migration after the patch produced zero DHCP
restarts (all UP-to-UP events suppressed), with no impact on normal
DOWN-to-UP DHCP recovery.
|
|
conntrack: T8308: Add per-flow counters and VRF filter to conntrack table
|
|
|
|
Add `hostname` as a valid sort key for both DHCPv4
and DHCPv6 leases and static mappings.
|
|
The time displayed in DHCP v4/v6 server lease op-mode
commands should honor system timezone and not force
UTC timezone.
This would keep the timestamps in the output of
`show log dhcp server` or `show log dhcpv6 server`
consistent with the timestamps in the output of
`show dhcp server leases` or `show dhcpv6 server leases`
commands.
|
|
T8454: fix VRF-bind port availability check in service_https
|
|
T8502: Add exclusion mask to config-sync
|
|
|
|
|
|
|
|
|
|
python: T8857: replace bare except clauses with except Exception in config scripts
|
|
When service https is configured with a listen-address on a VRF
interface, adding or changing the vrf option causes the commit to
fail with "TCP port 443 is used by another service!" even though
no conflict exists.
Root cause: check_port_availability() performs a socket.bind() in
the default network namespace. When the listen-address belongs to
a VRF interface the address is unreachable from the default
namespace, so the bind fails with OSError which is misinterpreted
as "port in use". The secondary check via is_listen_port_bind_service()
also fails because psutil cannot see sockets bound inside a VRF.
Fix: add an optional vrf parameter to check_port_availability().
When set, the test socket is bound to the VRF master device via
SO_BINDTODEVICE before the bind() call, so that the address is
resolved in the correct L3 domain. This is done in-process (no
subprocess) and works for both IPv4 and IPv6.
service_https verify() now passes the configured VRF (if any) to
check_port_availability(). Non-VRF configurations are unaffected.
Add smoke test for HTTPS with listen-address inside a VRF.
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
snmp: T8538: Persist engineBoots counter across reboots
|
|
When setting 'vpn ipsec logging log-level 0', DPD informational
messages (log level 1) were still appearing in the system journal.
The root cause is that charon-systemd reads both `charon-systemd.conf`
and `charon-logging.conf` and applies the higher of the two log levels
to the journal. The VyOS only managed `charon-systemd.conf`, leaving
`charon-logging.conf` at its default level of 1, which silently overrode
the user-configured level.
Fix this by rendering `charon-logging.conf` on every commit with
syslog backend set to -1 (silent), making `charon-systemd.conf`
the sole authoritative source for journal log verbosity.
This also eliminates duplicate log entries in the journal that occurred
when both backends were active and writing to the same destination.
|